[00:00.000 --> 00:06.500]  Hello, everyone. My name is Marcelo Secuchin. Today I'm going to be talking about Chupacabra.
[00:06.500 --> 00:15.320]  It is an open source do-it-yourself tool for interacting with automotive CAN bus.
[00:15.900 --> 00:23.600]  Just a quick disclaimer, this presentation is based solely on my opinion. It has nothing
[00:23.600 --> 00:30.280]  to do with my employer. And keep in mind, if you attempt to do the things that I'm covering
[00:30.280 --> 00:38.220]  here, you might potentially damage your vehicle. And keep in mind, if you damage your vehicle,
[00:38.220 --> 00:45.500]  malfunctions may or may not incur safety issues for you and others. So be careful if you attempt
[00:45.500 --> 00:54.900]  to do stuff here. I cannot accept the risks. Okay. A little bit about me. I'm a security
[00:56.020 --> 01:02.780]  engineer. I do secure development lifecycle. I work close with the dev teams on my daily
[01:02.780 --> 01:11.760]  basis to make sure they write secure code and applications. I try to do a lot of automation
[01:11.760 --> 01:24.200]  with Python. And surprise, surprise, the Chupacabra that I develop uses Python a lot.
[01:24.200 --> 01:34.040]  And my first exposure to CAN, to the CAN protocol, was a while ago when I was a secured software
[01:34.040 --> 01:43.180]  engineer and I developed some industrial control software. And we know that a lot of PLCs rely on
[01:43.180 --> 01:52.420]  the CAN open protocol for communication. I also like building stuff with single board open source
[01:52.420 --> 02:01.500]  hardware, such as BeagleBone and Raspberry Pi. And one of the cool things that I built was some
[02:01.500 --> 02:11.460]  coding bots, so I could teach my kids learning Python. And this is what brought me here because I
[02:11.460 --> 02:21.780]  attempted to, when I tried first to do some CAN hacking, I researched and CANtact was the most
[02:22.860 --> 02:31.240]  known tool for doing that. And because of and but it was sold out on a lot of vendors and
[02:31.240 --> 02:38.940]  they even mentioned it was because of DEF CON. It was really interesting. And then I remembered that
[02:39.800 --> 02:47.240]  one of those bots that I built for my kids, I used the BeagleBone Blue, which
[02:48.040 --> 02:57.880]  had an embedded CAN controller and the transceiver on it. So and I thought considering
[02:57.880 --> 03:07.760]  options and I said, well, why not try doing that using a BeagleBone Blue rather than waiting longer
[03:07.760 --> 03:20.760]  for them to be able to buy the CANtact. So this presentation is about how to use BeagleBone Blue
[03:20.760 --> 03:29.560]  SocketCAN and PythonCAN to do to interact with the CAN bus on your vehicle, more specifically to
[03:29.560 --> 03:39.220]  the ODB2 CAN bus. At the end, I will bring some research I have ongoing, still ongoing, no solid
[03:39.220 --> 03:47.440]  results, but trying to connect to ECUs directly. It is possible, but it's still an ongoing work.
[03:48.340 --> 03:56.800]  And I plan to make it interesting for both newcomers like me that are attempting car
[03:56.800 --> 04:04.820]  hacking for the first time. So the Chupacabra is easy enough to build and plug into your car and
[04:04.820 --> 04:11.620]  start doing stuff. But it could be very useful for more experienced hackers as well, because
[04:11.620 --> 04:19.640]  since it's a single board computer, you could easily extend it to different applications or
[04:19.640 --> 04:28.500]  use cases that you might have when you're doing your hacking. So all the Chupacabra code is
[04:28.500 --> 04:34.960]  available on GitHub. So if you're an expert, chances are that all you need to know from
[04:34.960 --> 04:41.900]  this presentation is this URL. So you can take a look on the code. And also, on GitHub, I share
[04:42.220 --> 04:52.200]  a link to a Hackster.io tutorial that I wrote with very detailed step-by-step instructions,
[04:52.200 --> 05:00.020]  so you can build a Chupacabra device exactly to the one that we're going to cover today.
[05:00.020 --> 05:07.100]  And I hope that I'm going to share the mistakes that I made when I was attempting to do it for
[05:07.100 --> 05:14.720]  the first time. And hopefully, it will help others when trying to do that. And with a device
[05:14.720 --> 05:21.440]  easy enough to build, potentially, you can engage more people on attempting car hacking and growing
[05:21.440 --> 05:30.840]  the community. So this is the device. It's basically a BeagleBone, as you can see here,
[05:32.410 --> 05:41.320]  with some add-ons. So basically, I connected a USB cellular modem here on the USB jack.
[05:41.320 --> 05:51.960]  I connect a DC jack here, so I get power from the ODB2 port on my car. And of course, I will need
[05:53.340 --> 06:03.400]  a ODB connector to connect it to my car. And here, this is the CAM port on the BeagleBone
[06:03.400 --> 06:14.220]  Blue. So all you need to do is to connect a JSTSH cable here. And then on the back, you connect it
[06:14.840 --> 06:25.120]  to your ODB2 extension cable. Of course, you can wire it directly to... this is the back
[06:25.940 --> 06:35.640]  of the device. We can also see that I use a battery. It's completely optional, but you can
[06:35.640 --> 06:43.200]  use it even if you're... let's say you were building a car tracking application. And even
[06:43.200 --> 06:51.180]  after your car batteries die, using the battery, your BeagleBone will be still alive and you can
[06:51.180 --> 06:58.420]  still track the GPS coordinates with this GPS module here and potentially recover your car,
[06:58.420 --> 07:06.380]  if that is your goal. So I use a very simple material. So I use a plastic plate like this
[07:06.380 --> 07:14.000]  to put all the pieces together. Some rubber bands, but you can build it differently. Again,
[07:14.000 --> 07:20.540]  all the instructions are on the Hackster.io article. And all you need to do is to put all
[07:20.540 --> 07:29.580]  those pieces together so you have a functioning BeagleBone to plug to your ODB2 port on your car.
[07:29.740 --> 07:38.120]  And also, you don't need to add all those parts together. I would say if all you need to
[07:38.120 --> 07:48.360]  want to do is to just use a socket cam to exchange some cam messages with your car,
[07:48.360 --> 07:57.020]  all you need to do is, of course, the BeagleBone Blue and a connector like this.
[07:57.020 --> 08:04.600]  The name is a JSTSH connector. You connect it to one end of the BeagleBone and then
[08:05.020 --> 08:15.020]  you can use solid hookup wires like this to connect it to this connector. And then
[08:15.020 --> 08:23.220]  the other end directly to the ODB ports to your car if you want to keep things simple. Or
[08:24.140 --> 08:33.020]  you can just build it using the ODB2 extension like this. Okay, so what does...
[08:33.760 --> 08:42.400]  once you build your device, what does it do? So the idea here is to create a connection
[08:43.040 --> 08:50.860]  between your CAN bus from inside your vehicle to the outside world. So from my perspective,
[08:50.860 --> 08:58.440]  I can assume that most of the manufacturers create a threat modeling of their CAN bus system,
[08:58.440 --> 09:05.620]  assuming that they are going to be isolated from the outside world. So of course, you would need
[09:05.620 --> 09:13.220]  physical access to the car. But the idea here is to create an easy way of so you can exfiltrate
[09:13.220 --> 09:20.800]  data from your car to the CAN bus. And the BeagleBone Blue makes it very convenient because
[09:20.800 --> 09:29.700]  it's really easy to connect the GPS module that I showed before. And on the top of that,
[09:29.700 --> 09:38.540]  it already has the embedded Wi-Fi access point and interface. So you can connect it directly
[09:38.540 --> 09:45.880]  or connect it to your Wi-Fi network and access the internet. Or as I showed, you could use
[09:46.620 --> 09:54.280]  a cellular modem like this to the USB port. And even if your car drives away and goes out of
[09:54.280 --> 09:59.520]  the range of your Wi-Fi network, you still have communication to your vehicle and you would be
[09:59.520 --> 10:06.660]  able to potentially send CAN messages to your car remotely. And one other cool thing about
[10:06.660 --> 10:14.000]  doing it using a single board computer, you can easily expand it to some other different
[10:14.000 --> 10:20.100]  applications. You can, for instance, create a geofence application. You want to maybe disable
[10:20.100 --> 10:28.460]  your car if it goes too far. Or maybe you want to track it back. You can, for instance,
[10:28.460 --> 10:40.240]  plug USB cameras and microphones. So if you want to capture audio. You can even use servos because
[10:40.240 --> 10:48.600]  the BeagleBone Blue is a robotic... it's intended for robotic applications. So you can plug servos
[10:48.600 --> 10:55.160]  here on those rails and perform some physical actions inside your car if you need it. You can
[10:55.160 --> 11:04.600]  even try to robotify your car, let's put it that way. So this is what it... oops, sorry. This is
[11:04.600 --> 11:13.040]  what it does. And once we run the Chupacabra inside your car, you're going to see on your
[11:13.040 --> 11:19.740]  local terminal, I'm assuming you SSH to your BeagleBone, and you're going to see once you run
[11:19.740 --> 11:26.020]  the Python script, you're going to see on your terminal what we have on the left. By default,
[11:26.020 --> 11:34.540]  it will start monitoring your vehicle speed from the ODB2 port, the RPM, and the temperature.
[11:35.320 --> 11:42.040]  And we'll also start sending all that information along with the GPS coordinates
[11:42.520 --> 11:52.080]  to a Flask application running on AWS. The source code for the Flask application is also available
[11:52.580 --> 12:00.740]  on the GitHub repo. So as I mentioned, by default, it will send only vehicle speeds,
[12:00.740 --> 12:14.140]  temperature, and RPM. But if you want to use other ODB2 PID from your ODB2 port,
[12:14.520 --> 12:22.880]  I created this convenient CSV file that if on the left column here, on the Enable Disabled
[12:22.880 --> 12:34.440]  column, you just set 0 and 1 to the ODB2 PIDs that you want to enable or disable. So as you
[12:34.440 --> 12:41.600]  can see here, this is one example. And all you need to do is customize it, and then you should
[12:41.600 --> 12:49.460]  be able to monitor other information from the ODB2 port other than the speed, temperature,
[12:49.460 --> 13:00.640]  and RPM. Okay, so how do you connect a BeagleBone to your ODB2 port? As I mentioned before,
[13:00.640 --> 13:12.200]  you have the CAN connector here. You use the JST connector to plug it here. And then all you need
[13:12.200 --> 13:22.580]  to do is to go to the female ODB2 port on your car and connect the CAN high and CAN low pins to
[13:23.260 --> 13:35.360]  the pin 6 and 14 respectively on your ODB2 port on your car. And it brings me to the first mistake
[13:35.360 --> 13:45.660]  I made. Keep in mind that this schematic, these pin numbers, are related to the female ODB2 port.
[13:45.660 --> 13:54.680]  So initially, what I tried to do, as you can see here on this picture, I connected the JST
[13:54.680 --> 14:04.300]  connector to the BeagleBone, and I used some hookup cables, and I cut a cable like this,
[14:04.300 --> 14:11.940]  and for convenience, I would connect my BeagleBone hookup wires to a male ODB2 connector.
[14:12.280 --> 14:19.760]  And keep in mind, if you do that, the numbers 1 to 8 will be mirrored because the female connects
[14:19.760 --> 14:27.460]  front to front, the male and female connects like this. So the eighth pin here on the female
[14:27.460 --> 14:34.620]  is actually the third pin here on the male. So keep those things in mind. This is a mistake that
[14:34.620 --> 14:43.180]  I made, and I believe I want to just prevent you from wasting time troubleshooting those things.
[14:43.400 --> 14:50.940]  And other mistakes that I did, and it could potentially help you when attempting this.
[14:51.580 --> 14:59.080]  So use a multimeter is your friend. I would be able to easily catch up that mistake if you use
[14:59.220 --> 15:07.660]  a multimeter and make sure you have some voltage on the pins that you want to tap in. And by the
[15:07.660 --> 15:13.640]  way, on my car, the pins 3 and 11 that I connected by mistake initially, they don't have any voltage
[15:13.640 --> 15:19.060]  there because they don't do anything. So with a multimeter, you would be able to catch issues
[15:19.060 --> 15:28.640]  like this. Another mistake that I did was when I saw CAN dump, I assume a TCP dump. So
[15:29.380 --> 15:37.660]  it's a sniffer, right? Sniffing traffic, so they should be similar. They are in some extent.
[15:37.660 --> 15:45.480]  However, CAN bus is not Ethernet. You need at minimum two nodes on the bus so you can
[15:45.480 --> 15:53.800]  potentially transmit and sniff some traffic. So initially, I enabled the CAN interface on my
[15:53.800 --> 16:01.440]  BeagleBone. I started CAN dump on one terminal. I started doing CAN send on the other. And I didn't
[16:01.440 --> 16:07.960]  see anything. And I didn't know why. The reason is because you need two nodes so you have at
[16:07.960 --> 16:14.860]  minimum, so you have a CAN. But even before doing that, what I would recommend, play a little bit
[16:14.860 --> 16:25.180]  with vCAN first. It's very easy to install vCAN on a Ubuntu Linux, for instance, and then you can
[16:25.880 --> 16:34.380]  do the CAN send and CAN dump and monitor the messages and understand how it works before
[16:34.380 --> 16:41.840]  even attempting to a real physical CAN. Another common issue that I had to face is you have to
[16:41.840 --> 16:50.900]  know the bitrate. So if you want a CAN bus to work properly. And for my vehicle, by default, it
[16:50.900 --> 17:01.620]  uses 500k baud rate. And yours might be different. So keep that in mind. So this is a suggestion.
[17:01.620 --> 17:08.240]  So if you want to make sure your Chupacabra is working and you understand a little bit how CAN
[17:08.240 --> 17:17.640]  works, create a CAN bus breadboard like this. It's really simple. You just use some
[17:17.640 --> 17:24.080]  jump wires to hook your JST connectors to a breadboard. The only thing you need to know is
[17:24.800 --> 17:31.340]  I'm using blue for CAN high here and white for CAN low. The only thing that you need to know is you
[17:31.340 --> 17:42.420]  need a 120 ohms resistor at each end connecting the CAN high and CAN low
[17:42.420 --> 17:50.640]  rails. It's going to be very helpful because then you can plug two BeagleBones, for instance,
[17:50.640 --> 17:59.180]  and exchange some CAN messages between each other with CAN dump. Another useful thing
[17:59.180 --> 18:07.240]  that I would recommend, not necessarily, but it might be helpful, is to cut a extension cable
[18:07.240 --> 18:16.980]  like this. So if things are not working properly, for instance, I bought a very simple device like
[18:16.980 --> 18:25.360]  this. It's a scan tool that supports scan ODB2. It's very cheap. And it was working. And I didn't
[18:25.360 --> 18:33.800]  know why my BeagleBone wasn't working properly. So I created this. I cut this cable and hooked
[18:33.800 --> 18:41.220]  one through 16, all the pins on my breadboard rails. And then I was able to connect it,
[18:41.220 --> 18:50.340]  this device to this extension and the extension to the car. And then here on the picture with
[18:50.340 --> 19:01.100]  the zoom, I could hook the JST connector to this breadboard and then start CAN dump there.
[19:01.100 --> 19:07.380]  And for instance, use this device to retrieve the VIN number. And then I would see the exactly
[19:07.380 --> 19:13.980]  messages that it was exchanging and understand what could be wrong with my BeagleBone that I
[19:14.620 --> 19:22.480]  wasn't getting right. And in my case, what I didn't know at that time was this. I was expecting
[19:22.480 --> 19:29.760]  to plug the BeagleBone to the ODB2 port, start CAN dump, and I was expecting to see a lot of
[19:29.760 --> 19:37.980]  traffic there. But what I noticed is that my ODB2 port was silent. It was just listening to...
[19:37.980 --> 19:44.980]  because it was segmented to the other CAN buses on the car. So it was just waiting for
[19:45.820 --> 19:52.800]  some specific CAN messages to reply to it. And this is exactly what happened. This is
[19:52.800 --> 20:01.920]  when I sniffed the comments from this device here, that was the CAN message I saw. And then
[20:02.480 --> 20:08.460]  using the CAN dump on the CAN0 from the BeagleBone, I saw the request and the response
[20:08.460 --> 20:19.500]  with my VIN number there. All right. So let's say you're confident enough, you understand how to
[20:19.500 --> 20:28.620]  play with CAN bus using a BeagleBone. And now you wanna... and you built your Chupacabra device,
[20:28.620 --> 20:36.360]  you wanna run it on your vehicle. So my suggestion would be play a little bit first
[20:36.360 --> 20:42.960]  with a socket CAN and make sure everything is working. So just try different bit rates,
[20:42.960 --> 20:48.600]  for instance, here on this, I'm trying the 500k, which is what worked for my car.
[20:48.600 --> 20:56.540]  Enable the CAN0 interface and open another terminal with CAN dump. And on a different
[20:56.540 --> 21:04.780]  terminal, you send the request VIN message. And by the way, all those messages, including
[21:04.780 --> 21:11.940]  this request VIN, is available on the CSV worksheet that I have available on GitHub.
[21:11.940 --> 21:18.220]  So you can try different stuff there. Once you know, once you see the request and the response,
[21:18.220 --> 21:25.900]  you know that your Chupacabra and your BeagleBone is able to properly use socket CAN in your car.
[21:26.720 --> 21:34.920]  And then if you want to test the GPS module, you would recommend using this TIO command.
[21:35.200 --> 21:44.820]  By default, it uses the serial port TTY02 with baud rate 4800. This is a specific one that I
[21:44.820 --> 21:53.640]  use it. All the parts are listed on the Hackster.io article, and I point to vendors that supply them.
[21:53.640 --> 22:00.880]  So, and when you start the TIO command, you're going to see a lot of GPS sentences
[22:00.880 --> 22:07.940]  flowing around. And wait a little bit for the module to find a GPS satellite.
[22:08.000 --> 22:14.540]  And once you get some GPRMC sentences, similar to this one that I have on screen,
[22:14.540 --> 22:22.180]  you can use an online decoder, just like this RL.SC. It's really cool, by the way.
[22:22.600 --> 22:29.520]  You just need to provide the GPRMC and it will plot your exact locations on a map.
[22:31.180 --> 22:36.560]  For cellular connection, so for connection, all you need to do is to make sure you have
[22:37.260 --> 22:48.960]  internet connection from your BeagleBone, either by using a Wi-Fi network or a cellular LTE modem,
[22:48.960 --> 22:55.240]  which is what I did. I use the hologram vendor because it's very Python friendly.
[22:55.320 --> 23:02.660]  The documentation is really good, so it was really easy to install it and get it working on my
[23:02.660 --> 23:07.560]  BeagleBone. Again, all the documentation is available on my Hackster.io article.
[23:07.760 --> 23:12.740]  And at the end of the day, all you need to do is to ping a public server on the internet and make
[23:12.740 --> 23:19.920]  sure you have internet connection so the data that your Chupacabra is capturing can be exfiltrated
[23:19.920 --> 23:26.800]  to a server. And once you know everything is working properly, it is time for you to clone
[23:26.800 --> 23:34.220]  the repo. Go to the Chupacabra folder and play around a little bit with the CSV files and enable
[23:34.220 --> 23:42.320]  and disable the ODB2 PIDs that you are interested in. And then just run the Python script. And by
[23:42.320 --> 23:49.760]  the way, it's all Python 3 basic. I don't think it works with Python 2. And if everything goes
[23:49.760 --> 23:56.220]  well, you're going to see all the ODB2 PIDs that you enabled being displayed on the screen.
[23:56.400 --> 24:02.600]  And also, if you have an internet connection, by default, it's going to be exfiltrated to this
[24:02.600 --> 24:11.360]  public AWS Flask app that I had running. And by default, the script points to that. If you want
[24:11.360 --> 24:21.000]  to create your own, just use the code available on this server or on this GitHub repo. And then
[24:21.000 --> 24:29.100]  you can customize it, run in a different cloud environment and customize it any way you want.
[24:30.140 --> 24:39.640]  Okay, let me run a quick demo video here so we have an idea how the Chupacabra works.
[24:40.560 --> 24:49.640]  So, this is the device. I'm going to plug into the ODB2 port from my car. The engine is on,
[24:49.640 --> 24:58.700]  already running. Yeah, so I'm just showing where is the ODB2 port on my vehicle. It's usually
[24:58.700 --> 25:05.980]  some close to the steering wheel. And then I'm going to put it on the dashboard because I'm
[25:05.980 --> 25:10.460]  going to monitor it from outside the vehicle. This is something that is really convenient
[25:10.460 --> 25:17.420]  compared to the other solutions. Because you have the embedded access, Wi-Fi access point on the
[25:17.420 --> 25:24.080]  vehicle, you can just connect to it and run Chupacabra from there. This is what you would
[25:24.080 --> 25:31.560]  get on your terminal if everything goes well. And then you can monitor your car. Of course,
[25:31.560 --> 25:39.000]  if it goes out of range, it will want to work. But you can monitor your ODB2 data
[25:39.000 --> 25:49.560]  from outside the car. Now, I have a test from inside the car. Here is I'm running
[25:50.580 --> 25:58.400]  the same test from inside the car. But the cool thing here is I'm going, I perform a lap around
[25:58.400 --> 26:07.680]  the course, and I'm monitoring the GPS data. So, it's exfiltrating using the cellular network to
[26:07.680 --> 26:17.140]  AWS server that I had running, right? And you're going to freeze the video exactly
[26:18.720 --> 26:25.660]  where the coordinates was exfiltrated. Then when I got home, I just visited the public
[26:26.760 --> 26:36.340]  AWS Flask application, and I saw all the GPRMC sentences available there, and I could plot them
[26:36.340 --> 26:45.860]  on the map. So, if I was away from the vehicle, I would be able to track it wherever it was.
[26:47.140 --> 26:53.920]  And if you plot all the, and it will, GPS will also give you the speed. And if you plot all the
[26:53.920 --> 27:01.720]  coordinates that are available in the application, you would have an idea from where the vehicle was
[27:01.720 --> 27:09.760]  traveling. So, I performed a course around a few blocks, and this is what I show here.
[27:10.200 --> 27:23.330]  All right. So, this is how the device works, right? So, it is able to exfiltrate
[27:23.330 --> 27:32.470]  ODB2 and GPS data. But what's next? And this is a currently work. I have only preliminary results,
[27:32.470 --> 27:39.090]  but probably the next thing that you want to do is to go beyond of the ODB2 CAN bus,
[27:39.090 --> 27:46.150]  and actually tap into a real CAN bus for your vehicle. And you can do it using the exactly
[27:46.150 --> 27:53.110]  same device. So, what I've been doing so far, so rather than reverse engineering every wire inside
[27:53.110 --> 28:03.530]  and disassembling my dashboard, that would be insane hard work to do, you can alternatively
[28:03.530 --> 28:11.930]  go to your dealership and get a book like this, a supplemental, electric supplemental manual,
[28:11.930 --> 28:19.070]  and it will give you a lot of detailed information about all the cables, where all the
[28:19.530 --> 28:26.090]  electronic components from your vehicles are located, and the connections between them.
[28:26.570 --> 28:36.410]  So, for instance, really close to my steering wheel on my vehicle, I have this ETAC ECU
[28:36.410 --> 28:44.050]  that is also located pretty close to the ODB2 connector. So, I thought, okay, let me connect
[28:44.050 --> 28:52.010]  those two CAN buses that are segmented from my vehicle, and then I can monitor everything.
[28:52.070 --> 28:59.910]  And that was my goal. So, knowing where the ECU is, it's pretty, helps a lot.
[29:00.370 --> 29:06.170]  And here is a picture of the vehicle. So, to get physical access to that specific ECU,
[29:06.170 --> 29:10.850]  all we needed to do was to remove a couple of plastic covers from my vehicle.
[29:10.850 --> 29:18.770]  And that was it. I could see the ECU from the bottom of the driving seat.
[29:20.190 --> 29:26.310]  And also, the electronic supplemental will give you detailed information about the ECUs on your
[29:26.310 --> 29:33.330]  car. So, for this one specifically, if you look to the picture on the left, on the bottom, I have
[29:33.330 --> 29:41.890]  this C411 connector. And if you go deep on the manual, you're going to notice, then on the
[29:41.890 --> 29:48.970]  diagram on the right, on the top, you have, you know, you would know that the C411 connector
[29:49.500 --> 29:57.270]  is actually connected to a CAN drive. And the pins eight and nine are connected respectively
[29:57.770 --> 30:07.870]  to CAN low and high to another component they call ECM on this vehicle. And not only that,
[30:07.870 --> 30:16.190]  you know, you have the wiring colors used for those cables. So, I know that the CAN high
[30:16.580 --> 30:29.350]  on pin nine is BR, which is brown cable, and the CAN low on pin eight is Y, a yellow cable.
[30:29.350 --> 30:39.330]  So, looking carefully inside my dashboard, I was able to find this ETOX ECU with this specific
[30:39.330 --> 30:48.590]  connector. And you can see the brown and yellow cable on pins eight and nine. And also close to
[30:48.590 --> 31:00.070]  the arrow that I put, you can see the ODB2 port on the top. So, again, so what I needed to do,
[31:00.070 --> 31:06.290]  all I needed to do is to use a hookup wire like this. This is not the actual CAN cable. It's just
[31:06.490 --> 31:14.410]  a hookup wire that I manually twisted myself. Oh, this is another common mistake. Make sure
[31:15.280 --> 31:20.710]  you either use a real CAN cable, or if you're using hookup wires like me, make sure they are
[31:20.710 --> 31:27.410]  not too long, because they might not function well. And you can try to manually twist them to
[31:27.410 --> 31:34.610]  mimic what a real CAN cable would, the physical properties of a real CAN cable.
[31:35.470 --> 31:46.730]  But back to this, be aware that by bridging those segmented CAN buses on your car,
[31:46.730 --> 31:53.450]  you may, you might damage your electronic components on your car,
[31:53.450 --> 32:00.750]  and incur safety issues for you and for others. So be sure you know what you're doing, and be
[32:00.750 --> 32:11.570]  careful. Okay, so once I got a good physical connection with those pins, I used a multimeter
[32:11.570 --> 32:20.990]  to make sure I had good wiring. On this specific ACU, when I have the ignition off, it gives me
[32:20.990 --> 32:33.310]  1.13 volts, but when I turn the ignition on, I get the expected 2.5 volts. Another mistake that I
[32:33.310 --> 32:42.630]  did, I recommend turning on the engine, because you would very quickly kill your battery. I did
[32:42.630 --> 32:49.830]  that, don't make the mistakes that I did. Okay, so now that I know with the multimeter that I have
[32:50.310 --> 32:57.610]  a good physical connection with the ACU, I connected the other end of the hookup wires
[32:57.610 --> 33:07.550]  directly to the back of the BeagleBone with the other, with the existing CAN high and CAN low
[33:08.650 --> 33:19.250]  cables, wires that I had to the ODB2. And that's all I needed to do. And then by doing that,
[33:19.250 --> 33:27.750]  as opposed to the initial result that I had only with the CAN, the ODB2 CAN, now if I run
[33:28.350 --> 33:36.750]  CAN dump from the Chupacabra device, now I see a lot of traffic between this ETACC ACU
[33:36.750 --> 33:49.230]  that I connected and the other electronic device ECM from my vehicle. I can tell,
[33:49.230 --> 34:00.810]  and exchange information through the CAN bus. All right, so that's where I got so far.
[34:00.810 --> 34:07.430]  What I'm planning to do, that's what I'm trying to do right now, is to reverse engineering some
[34:07.430 --> 34:16.590]  of those messages. For instance, I'm trying to use a CAN dump to write, to save the traffic,
[34:16.590 --> 34:21.990]  to dump the traffic to a local file, do something on the vehicle, for instance,
[34:21.990 --> 34:29.450]  opening and closing the power window, and then using CAN player, try to replay the traffic,
[34:29.450 --> 34:37.890]  and try to open and close the window just by replaying the messages. The problem is,
[34:37.890 --> 34:45.250]  I wasn't so successful doing that so far. And every time I try that, I get a beautiful and
[34:45.250 --> 34:54.530]  shining service engine light on my vehicle, and I might break my vehicle at some point.
[34:54.550 --> 35:00.610]  And not only that, maybe I'm not even connected to the right CAN bus that I should be tapping
[35:00.610 --> 35:08.210]  into if I want to open and close the window. So I have a lot of work to do to do that yet.
[35:08.210 --> 35:14.750]  But what tells me I'm on the right path is, when I do CAN sniffer, unfortunately,
[35:14.750 --> 35:22.630]  because it's a very busy CAN bus, it's still very polluted to me to tell exactly what's going on
[35:22.630 --> 35:28.790]  when I open and close the window. But I see something go, some action, there are some
[35:28.790 --> 35:35.950]  different, some new messages showing up when I'm doing those actions. So I still don't know
[35:35.950 --> 35:42.410]  what's going on, but that's what I'm trying to do. Get some interesting CAN messages so I can
[35:42.410 --> 35:51.330]  replay them later. So since I wasn't able to get, for instance, the opening and closing window yet,
[35:51.330 --> 35:58.250]  let's assume the message that I want to do remote execution on my car is the retrieve
[35:58.250 --> 36:06.170]  VIN message, right? Which is the one I'm highlighting here with the CAN send command.
[36:06.170 --> 36:15.170]  So my goal is to create a kind of RPC where I have a new endpoint on the
[36:15.170 --> 36:22.430]  on the Flask application running on the cloud that I would be able to send any CAN message
[36:22.430 --> 36:30.870]  that I wanted to be executed remotely on the car. Of course, I had to URL encode the
[36:30.870 --> 36:42.030]  hashtag here so I could post this URL to my Flask application and get it available.
[36:42.190 --> 36:47.630]  And in order to do that, here's an oversimplified version of the changes that
[36:47.630 --> 36:53.990]  would be needed on the current Chupacabra implementation. And by the way, once I get it
[36:53.990 --> 37:00.450]  working, I will update the code and make it available. But if community guys, if you feel
[37:00.450 --> 37:07.190]  free to fork the code and or even submit pull requests, I would be very excited if people
[37:07.830 --> 37:14.310]  would start doing that, actually. But the idea here is to do what I showed before,
[37:14.310 --> 37:23.270]  submitting messages remotely to create this kind of reverse HTTP command and control,
[37:23.270 --> 37:32.510]  I would create on the server application a queue into new endpoints, a GET and POST endpoint on
[37:32.510 --> 37:40.390]  this RPC endpoint. And whenever you send a GET a POST message with the CAN message,
[37:40.390 --> 37:49.050]  it would add to the queue. And then on the GET request, you would pop a message,
[37:49.050 --> 37:57.970]  CAN message from the queue and then you execute it on the client. So the changes on the client,
[37:57.970 --> 38:08.570]  the Chupacabra.py, would be basically hitting the RPC flask application with the GET request.
[38:08.570 --> 38:15.350]  It would give you a keyword CAN message that you submitted, and then it would send it to the bus
[38:15.350 --> 38:22.330]  and execute on your car. Of course, this is a very oversimplified version. Just to illustrate,
[38:22.330 --> 38:28.790]  you would need to add some error catches here, some logic, and even you would need to parse
[38:28.790 --> 38:38.490]  the JSON data to put your CAN message together. But that's the idea. So this is one suggestion,
[38:38.490 --> 38:51.130]  this is what I'm going for. But again, it's a Python code on an open source hardware platform.
[38:51.130 --> 39:01.350]  Feel free to do whatever you want to do with it. And the takeaways here from this presentation
[39:02.150 --> 39:09.230]  is, again, I want to build an open source hardware and software platform that could be
[39:09.230 --> 39:16.210]  useful for newcomers that are attempting this for the first time, but also for more experienced
[39:16.210 --> 39:24.590]  guys that see a need for a single board computer running on a car where they could remotely
[39:25.240 --> 39:35.730]  do some stuff there. Currently, the code that I have on GitHub only do GPS and ODB2 CAN
[39:36.270 --> 39:44.600]  messages, data exfiltration. But as I just showed, I plan to expand it in the future.
[39:46.210 --> 39:53.680]  Yeah, so let's use it, guys. I'm open to feedback. Let's grow the community.
[39:54.590 --> 40:05.090]  And let's have fun. Oh, one thing I would like to thank my friend Robert from Autobahn AI.
[40:05.090 --> 40:13.550]  He helped me a lot with all his knowledge on Automagic CAN with issues that I have,
[40:13.550 --> 40:19.390]  troubleshooting things and attempt different approaches. So thank you, Robert. It was really
[40:19.390 --> 40:28.850]  appreciated. And that's all I have, guys. So again, all the information that you need to
[40:28.850 --> 40:36.350]  build the Chupacabra is available on GitHub. And if you have any questions, suggestions,
[40:36.350 --> 40:45.310]  hit me on social media. I would be very happy to see people using the device. And
[40:46.070 --> 40:53.810]  if people have the same issue that I have trying to buy other open source tools because they were
[40:53.810 --> 41:03.350]  sold out, let's make BeagleBone sold out. I'm going to measure the success of this presentation
[41:03.870 --> 41:12.090]  based on whether or not we can sold out all the BeagleBone Blues next year because everybody
[41:12.090 --> 41:20.190]  will be trying to hack their cards using this open source platform. So again, thank you, guys.
[41:21.410 --> 41:29.550]  I'm open for questions. Reach out to me either on social media or on the Q&A session.
